The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.
Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025. The data Easterly cited came from Cybersecurity Ventures research.
“We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”
This won’t change until priorities and incentives are realigned, she said.
Risks remain heightened due to decades of insecure technology design, inconsistent cooperation between industry and government, lopsided responsibilities and backwards compatibility with insecure protocols.
Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.
“We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.
Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.
“Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.
Organizations are relying on technology that short shrifts security.
“We can’t just let technology off the hook,” Easterly said.
CEOs, boards must own enterprise risk
Placing a greater onus for cyber responsibility on technology vendors and manufacturers requires a realignment of priorities, paired with a shift in how enterprises assign risk accountability at the company level.
Enterprise risk is owned by the CEO and the board, not CISOs or CSOs, Easterly and CrowdStrike CEO George Kurtz said on a panel at the event. More than 115,000 people attended the event, according to event organizers.
“You’re talking about 4,000 years of history of sacrificing people that maybe shouldn’t have been sacrificed,” Kurtz said. “A lot of times the CISO’s [get] an 18-month career lifespan, and if they didn’t get funded and they identify the risk it doesn’t mean that they’re not going to get offered up. It’s a tough job.”
Many good CISOs identify risks, don’t get funding after requesting a budget to tackle the problem, and get dismissed within months of a breach, he said.
“These CISOs are the ones who are busting their ass every day to help secure the company and they need to have the resources, the influence, and they need to be prioritized so they can actually help drive down risk to the company,” Easterly said.
Responsibilities aside, the outlook for cybersecurity-related damages is poor. While Easterly avoided making any predictions, Kurtz identified a key factor that no organization or government agency can control.
“Whenever there’s a recession, cybercrime tends to go up,” Kurtz said. “Layoffs happen – less people to mind the store – and we tend to see more breaches.”
Clarification: This article has been updated to include citation information for data discussed by CISA Director Jen Easterly.